Ruleset Update Summary - 2025/04/17 - v10908

Summary:

174 new OPEN, 181 new PRO (174 + 7)


Added rules:

Open:

  • 2018372 - ET RETIRED Malformed HeartBeat Request (retired.rules)
  • 2018373 - ET RETIRED Malformed HeartBeat Response (retired.rules)
  • 2018374 - ET RETIRED Malformed HeartBeat Request method 2 (retired.rules)
  • 2036985 - ET RETIRED Observed DNS Query to Maldoc Domain (webnar .info) (retired.rules)
  • 2037107 - ET RETIRED Win32/Delf.TJJ CnC Checkin M1 (retired.rules)
  • 2037108 - ET RETIRED Win32/Delf.TJJ CnC Checkin M2 (retired.rules)
  • 2037111 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (dsk .5636 .com) (retired.rules)
  • 2037112 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (wx .go890 .com) (retired.rules)
  • 2037113 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (cfg .jipinwan .com) (retired.rules)
  • 2037114 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (bk .957wan .com) (retired.rules)
  • 2037115 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (www .58sky .com) (retired.rules)
  • 2037116 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (cnwx .58ad .cn) (retired.rules)
  • 2037117 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (gc .wb51 .com) (retired.rules)
  • 2037118 - ET RETIRED Win32/Delf.TJJ CnC Domain in DNS Lookup (cmps .58sky .com) (retired.rules)
  • 2037143 - ET RETIRED ZuoRAT CBeacon CnC (retired.rules)
  • 2037741 - ET RETIRED AlphabetSoup Adware Extension CnC Checkin (retired.rules)
  • 2038900 - ET RETIRED Win32/Agent.XXZ Checkin (retired.rules)
  • 2038901 - ET RETIRED Win32/Covagent Checkin (retired.rules)
  • 2039778 - ET RETIRED GO/Titan Stealer Data Exfiltration Attempt (retired.rules)
  • 2043198 - ET RETIRED Win32/Aurora Stealer WORK Command (retired.rules)
  • 2043199 - ET RETIRED Win32/Aurora Stealer Accept Command (retired.rules)
  • 2043200 - ET RETIRED Win32/Aurora Stealer Thanks Command (retired.rules)
  • 2045222 - ET RETIRED TA453 Modified IIS-Raid Backdoor Module Headers in HTTP Request (retired.rules)
  • 2045223 - ET RETIRED TA453 IIS Credential Stealer Module/Backdoor Headers in HTTP Request (retired.rules)
  • 2045224 - ET RETIRED TA453 BellaCiao ASPX Backdoor User-Agent in HTTP Request (retired.rules)
  • 2045225 - ET RETIRED IIS-Raid Module Backdoor Default Headers in HTTP Request (retired.rules)
  • 2045226 - ET RETIRED IIS-Raid Module Backdoor Ping in HTTP Request (retired.rules)
  • 2045298 - ET RETIRED Truebot/Silence.Downloader No Tasking Response from Server (retired.rules)
  • 2045299 - ET RETIRED TrueBot/Silence.Downloader CnC Checkin 4 (retired.rules)
  • 2046259 - ET RETIRED Kimsuky ReconShark Related APT Activity (retired.rules)
  • 2046729 - ET RETIRED [ANY.RUN] Remcos RAT Checkin 861 (retired.rules)
  • 2046730 - ET RETIRED GobRAT CnC Domain in DNS Lookup (ktlvz .dnsfailover .net) (retired.rules)
  • 2046731 - ET RETIRED GobRAT CnC Domain in DNS Lookup (wpksi .mefound .com) (retired.rules)
  • 2046732 - ET RETIRED GobRAT CnC Domain in DNS Lookup (su .vealcat .com) (retired.rules)
  • 2046733 - ET RETIRED Observed GobRAT Domain (ktlvz .dnsfailover .net) in TLS SNI (retired.rules)
  • 2046734 - ET RETIRED Observed GobRAT Domain (wpksi .mefound .com) in TLS SNI (retired.rules)
  • 2046735 - ET RETIRED Observed GobRAT Domain (su .vealcat .com) in TLS SNI (retired.rules)
  • 2046881 - ET RETIRED Suspected Andariel RexPot CnC Checkin M1 (retired.rules)
  • 2046882 - ET RETIRED Suspected Andariel RexPot CnC Checkin M2 (retired.rules)
  • 2047004 - ET RETIRED Win32/OriginLoader CnC Checkin (retired.rules)
  • 2047005 - ET RETIRED MacOS/Realst CnC Checkin (retired.rules)
  • 2047616 - ET RETIRED MacOS/RustBucket System Information Exfiltration Attempt (retired.rules)
  • 2047638 - ET RETIRED APT29 CnC Domain in DNS Lookup (sgrhf .org .pk) (retired.rules)
  • 2047639 - ET RETIRED APT29 CnC Domain in DNS Lookup (toyy .zulipchat .com) (retired.rules)
  • 2047640 - ET RETIRED APT29 CnC Domain in DNS Lookup (edenparkweddings .com) (retired.rules)
  • 2047641 - ET RETIRED Observed APT29 Domain (sgrhf .org .pk) in TLS SNI (retired.rules)
  • 2047642 - ET RETIRED Observed APT29 Domain (toyy .zulipchat .com) in TLS SNI (retired.rules)
  • 2047643 - ET RETIRED Observed APT29 Domain (edenparkweddings .com) in TLS SNI (retired.rules)
  • 2047751 - ET RETIRED Suspected Adware/AccessMembre Domain in DNS Lookup (iconm1 .com) (retired.rules)
  • 2047959 - ET RETIRED Red Wolf/RedCurl Payload Retrieval Attempt M5 (retired.rules)
  • 2047960 - ET RETIRED Red Wolf/RedCurl Payload Retrieval Attempt M6 (retired.rules)
  • 2047961 - ET RETIRED Red Wolf/RedCurl Implant Checkin (retired.rules)
  • 2048084 - ET RETIRED Android/MMRAT Data Exfiltration Attempt (retired.rules)
  • 2048104 - ET RETIRED Earth Lusca/SprySOCKS CnC Domain in DNS Lookup (retired.rules)
  • 2048105 - ET RETIRED Earth Lusca/SprySOCKS CnC Domain in DNS Lookup (retired.rules)
  • 2048118 - ET RETIRED Earth Lusca/SprySOCKS CnC Checkin (retired.rules)
  • 2048397 - ET RETIRED BunnyLoader - Initial CnC Checkin (retired.rules)
  • 2048399 - ET RETIRED BunnyLoader CnC Checkin - Retrieve Tasking (retired.rules)
  • 2048400 - ET RETIRED BunnyLoader CnC Tasking Response (retired.rules)
  • 2048401 - ET RETIRED BunnyLoader CnC Checkin - Echoer (retired.rules)
  • 2048402 - ET RETIRED BunnyLoader CnC Checkin - Heartbeat (retired.rules)
  • 2048404 - ET RETIRED BunnyLoader CnC Checkin - ResultCMD (retired.rules)
  • 2048405 - ET RETIRED BunnyLoader Data Exfiltration Attempt (retired.rules)
  • 2049140 - ET RETIRED Win32/Fewin Stealer Data Exfiltration Attempt (retired.rules)
  • 2049152 - ET RETIRED Win32/Unknown RAT CnC Checkin (retired.rules)
  • 2049794 - ET RETIRED Possible KV Botnet CnC Checkin (retired.rules)
  • 2049813 - ET RETIRED Win32/Koi Loader CnC Checkin M1 (retired.rules)
  • 2049814 - ET RETIRED Win32/Koi Loader CnC Checkin M2 (retired.rules)
  • 2049815 - ET RETIRED Win32/Koi Loader CnC Checkin M3 (retired.rules)
  • 2049816 - ET RETIRED Win32/Koi Stealer CnC Checkin (POST) M1 (retired.rules)
  • 2050236 - ET RETIRED Trojanized Software Download Domain in DNS Lookup (macyy .cn) (retired.rules)
  • 2050237 - ET RETIRED Khepri CnC Domain in DNS Lookup (securecrt .cc) (retired.rules)
  • 2050238 - ET RETIRED Khepri CnC Domain in DNS Lookup (ultraedit .info) (retired.rules)
  • 2050239 - ET RETIRED Khepri CnC Domain in DNS Lookup (securecrt .vip) (retired.rules)
  • 2050240 - ET RETIRED Khepri CnC Domain in DNS Lookup (rdesktophub .com) (retired.rules)
  • 2050241 - ET RETIRED Khepri CnC Domain in DNS Lookup (macnavicat .com) (retired.rules)
  • 2050242 - ET RETIRED Khepri CnC Domain in DNS Lookup (vscode .digital) (retired.rules)
  • 2050243 - ET RETIRED Khepri CnC Domain in DNS Lookup (ultraedit .vip) (retired.rules)
  • 2050244 - ET RETIRED Khepri CnC Domain in DNS Lookup (finallshell .cc) (retired.rules)
  • 2050245 - ET RETIRED Khepri CnC Domain in DNS Lookup (finalshell .me) (retired.rules)
  • 2050246 - ET RETIRED Khepri CnC Domain in DNS Lookup (rdesktopconnect .com) (retired.rules)
  • 2050247 - ET RETIRED Khepri CnC Domain in DNS Lookup (xmindcn .cc) (retired.rules)
  • 2050248 - ET RETIRED Suspicious Request for bd.log (retired.rules)
  • 2050249 - ET RETIRED Suspicious Request for fs.log (retired.rules)
  • 2050279 - ET RETIRED [ANY.RUN] ZharkBOT HTTP CnC Checkin (retired.rules)
  • 2061639 - ET EXPLOIT_KIT Fake Captcha Domain (analytiwave .com) in DNS Lookup (exploit_kit.rules)
  • 2061640 - ET EXPLOIT_KIT Fake Captcha Domain (sharecloudes .com) in DNS Lookup (exploit_kit.rules)
  • 2061641 - ET EXPLOIT_KIT Fake Captcha Domain (goclouder .com) in DNS Lookup (exploit_kit.rules)
  • 2061642 - ET EXPLOIT_KIT Fake Captcha Domain (goclouder .net) in DNS Lookup (exploit_kit.rules)
  • 2061643 - ET EXPLOIT_KIT Fake Captcha Domain (stat .bundlehulu .com) in DNS Lookup (exploit_kit.rules)
  • 2061644 - ET EXPLOIT_KIT Fake Captcha Domain (gocloudes .com) in DNS Lookup (exploit_kit.rules)
  • 2061645 - ET EXPLOIT_KIT Fake Captcha Domain (analytido .com) in DNS Lookup (exploit_kit.rules)
  • 2061646 - ET EXPLOIT_KIT Observed Fake Captcha Domain (analytiwave .com) in TLS SNI (exploit_kit.rules)
  • 2061647 - ET EXPLOIT_KIT Observed Fake Captcha Domain (sharecloudes .com) in TLS SNI (exploit_kit.rules)
  • 2061648 - ET EXPLOIT_KIT Observed Fake Captcha Domain (goclouder .com) in TLS SNI (exploit_kit.rules)
  • 2061649 - ET EXPLOIT_KIT Observed Fake Captcha Domain (goclouder .net) in TLS SNI (exploit_kit.rules)
  • 2061650 - ET EXPLOIT_KIT Observed Fake Captcha Domain (stat .bundlehulu .com) in TLS SNI (exploit_kit.rules)
  • 2061651 - ET EXPLOIT_KIT Observed Fake Captcha Domain (gocloudes .com) in TLS SNI (exploit_kit.rules)
  • 2061652 - ET EXPLOIT_KIT Observed Fake Captcha Domain (analytido .com) in TLS SNI (exploit_kit.rules)
  • 2061653 - ET EXPLOIT_KIT Fake Captcha Domain (security .flargyard .com) in DNS Lookup (exploit_kit.rules)
  • 2061654 - ET EXPLOIT_KIT Fake Captcha Domain (ubiosut .com) in DNS Lookup (exploit_kit.rules)
  • 2061655 - ET EXPLOIT_KIT Fake Captcha Domain (ubiosut .info) in DNS Lookup (exploit_kit.rules)
  • 2061656 - ET EXPLOIT_KIT Fake Captcha Domain (lomerhs .com) in DNS Lookup (exploit_kit.rules)
  • 2061657 - ET EXPLOIT_KIT Fake Captcha Domain (security .clodufgard .com) in DNS Lookup (exploit_kit.rules)
  • 2061658 - ET EXPLOIT_KIT Fake Captcha Domain (folherc .org) in DNS Lookup (exploit_kit.rules)
  • 2061659 - ET EXPLOIT_KIT Fake Captcha Domain (lomerhs .info) in DNS Lookup (exploit_kit.rules)
  • 2061660 - ET EXPLOIT_KIT Fake Captcha Domain (xoebty .info) in DNS Lookup (exploit_kit.rules)
  • 2061661 - ET EXPLOIT_KIT Fake Captcha Domain (amoliera .org) in DNS Lookup (exploit_kit.rules)
  • 2061662 - ET EXPLOIT_KIT Fake Captcha Domain (unazer .com) in DNS Lookup (exploit_kit.rules)
  • 2061663 - ET EXPLOIT_KIT Fake Captcha Domain (xoebty .org) in DNS Lookup (exploit_kit.rules)
  • 2061664 - ET EXPLOIT_KIT Fake Captcha Domain (security .cloydgvarde .com) in DNS Lookup (exploit_kit.rules)
  • 2061665 - ET EXPLOIT_KIT Fake Captcha Domain (security .clodufshield .com) in DNS Lookup (exploit_kit.rules)
  • 2061666 - ET EXPLOIT_KIT Fake Captcha Domain (daoeidk .org) in DNS Lookup (exploit_kit.rules)
  • 2061667 - ET EXPLOIT_KIT Fake Captcha Domain (folherc .com) in DNS Lookup (exploit_kit.rules)
  • 2061668 - ET EXPLOIT_KIT Fake Captcha Domain (anerolki .info) in DNS Lookup (exploit_kit.rules)
  • 2061669 - ET EXPLOIT_KIT Fake Captcha Domain (amoliera .com) in DNS Lookup (exploit_kit.rules)
  • 2061670 - ET EXPLOIT_KIT Fake Captcha Domain (daoeidk .info) in DNS Lookup (exploit_kit.rules)
  • 2061671 - ET EXPLOIT_KIT Fake Captcha Domain (unazer .org) in DNS Lookup (exploit_kit.rules)
  • 2061672 - ET EXPLOIT_KIT Fake Captcha Domain (folherc .info) in DNS Lookup (exploit_kit.rules)
  • 2061673 - ET EXPLOIT_KIT Fake Captcha Domain (anerolki .org) in DNS Lookup (exploit_kit.rules)
  • 2061674 - ET EXPLOIT_KIT Fake Captcha Domain (security .flaiegaurd .com) in DNS Lookup (exploit_kit.rules)
  • 2061675 - ET EXPLOIT_KIT Fake Captcha Domain (security .closecufre .com) in DNS Lookup (exploit_kit.rules)
  • 2061676 - ET EXPLOIT_KIT Fake Captcha Domain (cesiabs .org) in DNS Lookup (exploit_kit.rules)
  • 2061677 - ET EXPLOIT_KIT Fake Captcha Domain (jehvkc .info) in DNS Lookup (exploit_kit.rules)
  • 2061678 - ET EXPLOIT_KIT Fake Captcha Domain (security .secuclauf .com) in DNS Lookup (exploit_kit.rules)
  • 2061679 - ET EXPLOIT_KIT Fake Captcha Domain (xoebty .com) in DNS Lookup (exploit_kit.rules)
  • 2061680 - ET EXPLOIT_KIT Fake Captcha Domain (broadsage .net) in DNS Lookup (exploit_kit.rules)
  • 2061681 - ET EXPLOIT_KIT Fake Captcha Domain (njolekaz .com) in DNS Lookup (exploit_kit.rules)
  • 2061682 - ET EXPLOIT_KIT Fake Captcha Domain (security .colkudflare .com) in DNS Lookup (exploit_kit.rules)
  • 2061683 - ET EXPLOIT_KIT Fake Captcha Domain (jehvkc .com) in DNS Lookup (exploit_kit.rules)
  • 2061684 - ET EXPLOIT_KIT Fake Captcha Domain (lomerhs .org) in DNS Lookup (exploit_kit.rules)
  • 2061685 - ET EXPLOIT_KIT Fake Captcha Domain (broadsage .com) in DNS Lookup (exploit_kit.rules)
  • 2061686 - ET EXPLOIT_KIT Fake Captcha Domain (cesiabs .info) in DNS Lookup (exploit_kit.rules)
  • 2061687 - ET EXPLOIT_KIT Fake Captcha Domain (unazer .info) in DNS Lookup (exploit_kit.rules)
  • 2061688 - ET EXPLOIT_KIT Fake Captcha Domain (njolekaz .info) in DNS Lookup (exploit_kit.rules)
  • 2061689 - ET EXPLOIT_KIT Fake Captcha Domain (ubiosut .org) in DNS Lookup (exploit_kit.rules)
  • 2061690 - ET EXPLOIT_KIT Fake Captcha Domain (daoeidk .com) in DNS Lookup (exploit_kit.rules)
  • 2061691 - ET EXPLOIT_KIT Fake Captcha Domain (broadsage .org) in DNS Lookup (exploit_kit.rules)
  • 2061692 - ET EXPLOIT_KIT Fake Captcha Domain (anerolki .com) in DNS Lookup (exploit_kit.rules)
  • 2061693 - ET EXPLOIT_KIT Fake Captcha Domain (cesiabs .com) in DNS Lookup (exploit_kit.rules)
  • 2061694 - ET EXPLOIT_KIT Fake Captcha Domain (jehvkc .org) in DNS Lookup (exploit_kit.rules)
  • 2061695 - ET EXPLOIT_KIT Fake Captcha Domain (njolekaz .org) in DNS Lookup (exploit_kit.rules)
  • 2061696 - ET EXPLOIT_KIT Fake Captcha Domain (amoliera .info) in DNS Lookup (exploit_kit.rules)
  • 2061697 - ET INFO DYNAMIC_DNS Query to a *.budjettravel .net domain (info.rules)
  • 2061698 - ET INFO DYNAMIC_DNS HTTP Request to a *.budjettravel .net domain (info.rules)
  • 2061699 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (agroeconb .live) (malware.rules)
  • 2061700 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (agroeconb .live) in TLS SNI (malware.rules)
  • 2061701 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ecoexpanpd .live) (malware.rules)
  • 2061702 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ecoexpanpd .live) in TLS SNI (malware.rules)
  • 2061703 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (econusi .digital) (malware.rules)
  • 2061704 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (econusi .digital) in TLS SNI (malware.rules)
  • 2061705 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (franecont .run) (malware.rules)
  • 2061706 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (franecont .run) in TLS SNI (malware.rules)
  • 2061707 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (qinspiringecho .rest) (malware.rules)
  • 2061708 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (qinspiringecho .rest) in TLS SNI (malware.rules)
  • 2061709 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rainyreplacwv .site) (malware.rules)
  • 2061710 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rainyreplacwv .site) in TLS SNI (malware.rules)
  • 2061711 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thundercoall .live) (malware.rules)
  • 2061712 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thundercoall .live) in TLS SNI (malware.rules)
  • 2061713 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (piratetwrath .run) (malware.rules)
  • 2061714 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (piratetwrath .run in TLS SNI) (malware.rules)
  • 2061715 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quilltayle .live) (malware.rules)
  • 2061716 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (quilltayle .live in TLS SNI) (malware.rules)
  • 2061717 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starofliught .top) (malware.rules)
  • 2061718 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (starofliught .top in TLS SNI) (malware.rules)
  • 2061719 - ET MALWARE CHStealer getshortinfo Command CnC Checkin (malware.rules)
  • 2061720 - ET MALWARE CHStealer checkping Command CnC Checkin (malware.rules)
  • 2061721 - ET WEB_SERVER SonicWall SMA Unauthenticated handleWAFRedirect CGI Arbitrary File Deletion (CVE-2021-20034) (web_server.rules)
  • 2061722 - ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles RAC_DOWNLOAD_TAR Method Arbitrary File Deletion (web_server.rules)
  • 2061723 - ET HUNTING Powershell Script Inbound Which Downloads C++ Compiler (Used by Stagers) (hunting.rules)
  • 2061724 - ET WEB_SERVER SonicWall SMA Post-Auth Python Management API Remote Code Execution (CVE-2021-20044) (web_server.rules)
  • 2061725 - ET WEB_SERVER SonicWall SMA Pre-Auth Stored Cross-Site Scripting (web_server.rules)
  • 2061726 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .purepassionwellness .com) (malware.rules)
  • 2061727 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .purepassionwellness .com) (malware.rules)

Pro:

  • 2852666 - ETPRO RETIRED Observed SSL Cert (anysrc .net) (retired.rules)
  • 2853036 - ETPRO RETIRED Security Awareness Campaign Domain in DNS Lookup (retired.rules)
  • 2855905 - ETPRO RETIRED Win32/Apocalypse RAT CnC Checkin (checkcmd) (retired.rules)
  • 2855906 - ETPRO RETIRED Win32/Apocalypse RAT CnC Checkin (checkcmd) - Acknowledgement (retired.rules)
  • 2861182 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2861183 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2861184 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Removed rules:

  • 2018372 - ET EXPLOIT Malformed HeartBeat Request (exploit.rules)
  • 2018373 - ET EXPLOIT Malformed HeartBeat Response (exploit.rules)
  • 2018374 - ET EXPLOIT Malformed HeartBeat Request method 2 (exploit.rules)
  • 2036985 - ET MALWARE Observed DNS Query to Maldoc Domain (webnar .info) (malware.rules)
  • 2037107 - ET MALWARE Win32/Delf.TJJ CnC Checkin M1 (malware.rules)
  • 2037108 - ET MALWARE Win32/Delf.TJJ CnC Checkin M2 (malware.rules)
  • 2037111 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (dsk .5636 .com) (malware.rules)
  • 2037112 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (wx .go890 .com) (malware.rules)
  • 2037113 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (cfg .jipinwan .com) (malware.rules)
  • 2037114 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (bk .957wan .com) (malware.rules)
  • 2037115 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (www .58sky .com) (malware.rules)
  • 2037116 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (cnwx .58ad .cn) (malware.rules)
  • 2037117 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (gc .wb51 .com) (malware.rules)
  • 2037118 - ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (cmps .58sky .com) (malware.rules)
  • 2037143 - ET MALWARE ZuoRAT CBeacon CnC (malware.rules)
  • 2037741 - ET ADWARE_PUP AlphabetSoup Adware Extension CnC Checkin (adware_pup.rules)
  • 2038900 - ET MALWARE Win32/Agent.XXZ Checkin (malware.rules)
  • 2038901 - ET MALWARE Win32/Covagent Checkin (malware.rules)
  • 2039778 - ET MALWARE GO/Titan Stealer Data Exfiltration Attempt (malware.rules)
  • 2043198 - ET MALWARE Win32/Aurora Stealer WORK Command (malware.rules)
  • 2043199 - ET MALWARE Win32/Aurora Stealer Accept Command (malware.rules)
  • 2043200 - ET MALWARE Win32/Aurora Stealer Thanks Command (malware.rules)
  • 2045222 - ET MALWARE TA453 Modified IIS-Raid Backdoor Module Headers in HTTP Request (malware.rules)
  • 2045223 - ET MALWARE TA453 IIS Credential Stealer Module/Backdoor Headers in HTTP Request (malware.rules)
  • 2045224 - ET MALWARE TA453 BellaCiao ASPX Backdoor User-Agent in HTTP Request (malware.rules)
  • 2045225 - ET MALWARE IIS-Raid Module Backdoor Default Headers in HTTP Request (malware.rules)
  • 2045226 - ET MALWARE IIS-Raid Module Backdoor Ping in HTTP Request (malware.rules)
  • 2045298 - ET MALWARE Truebot/Silence.Downloader No Tasking Response from Server (malware.rules)
  • 2045299 - ET MALWARE TrueBot/Silence.Downloader CnC Checkin 4 (malware.rules)
  • 2046259 - ET MALWARE Kimsuky ReconShark Related APT Activity (malware.rules)
  • 2046729 - ET MALWARE [ANY.RUN] Remcos RAT Checkin 861 (malware.rules)
  • 2046730 - ET MALWARE GobRAT CnC Domain in DNS Lookup (ktlvz .dnsfailover .net) (malware.rules)
  • 2046731 - ET MALWARE GobRAT CnC Domain in DNS Lookup (wpksi .mefound .com) (malware.rules)
  • 2046732 - ET MALWARE GobRAT CnC Domain in DNS Lookup (su .vealcat .com) (malware.rules)
  • 2046733 - ET MALWARE Observed GobRAT Domain (ktlvz .dnsfailover .net) in TLS SNI (malware.rules)
  • 2046734 - ET MALWARE Observed GobRAT Domain (wpksi .mefound .com) in TLS SNI (malware.rules)
  • 2046735 - ET MALWARE Observed GobRAT Domain (su .vealcat .com) in TLS SNI (malware.rules)
  • 2046881 - ET MALWARE Suspected Andariel RexPot CnC Checkin M1 (malware.rules)
  • 2046882 - ET MALWARE Suspected Andariel RexPot CnC Checkin M2 (malware.rules)
  • 2047004 - ET MALWARE Win32/OriginLoader CnC Checkin (malware.rules)
  • 2047005 - ET MALWARE MacOS/Realst CnC Checkin (malware.rules)
  • 2047616 - ET MALWARE MacOS/RustBucket System Information Exfiltration Attempt (malware.rules)
  • 2047638 - ET MALWARE APT29 CnC Domain in DNS Lookup (sgrhf .org .pk) (malware.rules)
  • 2047639 - ET MALWARE APT29 CnC Domain in DNS Lookup (toyy .zulipchat .com) (malware.rules)
  • 2047640 - ET MALWARE APT29 CnC Domain in DNS Lookup (edenparkweddings .com) (malware.rules)
  • 2047641 - ET MALWARE Observed APT29 Domain (sgrhf .org .pk) in TLS SNI (malware.rules)
  • 2047642 - ET MALWARE Observed APT29 Domain (toyy .zulipchat .com) in TLS SNI (malware.rules)
  • 2047643 - ET MALWARE Observed APT29 Domain (edenparkweddings .com) in TLS SNI (malware.rules)
  • 2047751 - ET ADWARE_PUP Suspected Adware/AccessMembre Domain in DNS Lookup (iconm1 .com) (adware_pup.rules)
  • 2047959 - ET MALWARE Red Wolf/RedCurl Payload Retrieval Attempt M5 (malware.rules)
  • 2047960 - ET MALWARE Red Wolf/RedCurl Payload Retrieval Attempt M6 (malware.rules)
  • 2047961 - ET MALWARE Red Wolf/RedCurl Implant Checkin (malware.rules)
  • 2048084 - ET MOBILE_MALWARE Android/MMRAT Data Exfiltration Attempt (mobile_malware.rules)
  • 2048104 - ET MALWARE Earth Lusca/SprySOCKS CnC Domain in DNS Lookup (malware.rules)
  • 2048105 - ET MALWARE Earth Lusca/SprySOCKS CnC Domain in DNS Lookup (malware.rules)
  • 2048118 - ET MALWARE Earth Lusca/SprySOCKS CnC Checkin (malware.rules)
  • 2048397 - ET MALWARE BunnyLoader - Initial CnC Checkin (malware.rules)
  • 2048399 - ET MALWARE BunnyLoader CnC Checkin - Retrieve Tasking (malware.rules)
  • 2048400 - ET MALWARE BunnyLoader CnC Tasking Response (malware.rules)
  • 2048401 - ET MALWARE BunnyLoader CnC Checkin - Echoer (malware.rules)
  • 2048402 - ET MALWARE BunnyLoader CnC Checkin - Heartbeat (malware.rules)
  • 2048404 - ET MALWARE BunnyLoader CnC Checkin - ResultCMD (malware.rules)
  • 2048405 - ET MALWARE BunnyLoader Data Exfiltration Attempt (malware.rules)
  • 2049140 - ET MALWARE Win32/Fewin Stealer Data Exfiltration Attempt (malware.rules)
  • 2049152 - ET MALWARE Win32/Unknown RAT CnC Checkin (malware.rules)
  • 2049794 - ET MALWARE Possible KV Botnet CnC Checkin (malware.rules)
  • 2049813 - ET MALWARE Win32/Koi Loader CnC Checkin M1 (malware.rules)
  • 2049814 - ET MALWARE Win32/Koi Loader CnC Checkin M2 (malware.rules)
  • 2049815 - ET MALWARE Win32/Koi Loader CnC Checkin M3 (malware.rules)
  • 2049816 - ET MALWARE Win32/Koi Stealer CnC Checkin (POST) M1 (malware.rules)
  • 2050236 - ET MALWARE Trojanized Software Download Domain in DNS Lookup (macyy .cn) (malware.rules)
  • 2050237 - ET MALWARE Khepri CnC Domain in DNS Lookup (securecrt .cc) (malware.rules)
  • 2050238 - ET MALWARE Khepri CnC Domain in DNS Lookup (ultraedit .info) (malware.rules)
  • 2050239 - ET MALWARE Khepri CnC Domain in DNS Lookup (securecrt .vip) (malware.rules)
  • 2050240 - ET MALWARE Khepri CnC Domain in DNS Lookup (rdesktophub .com) (malware.rules)
  • 2050241 - ET MALWARE Khepri CnC Domain in DNS Lookup (macnavicat .com) (malware.rules)
  • 2050242 - ET MALWARE Khepri CnC Domain in DNS Lookup (vscode .digital) (malware.rules)
  • 2050243 - ET MALWARE Khepri CnC Domain in DNS Lookup (ultraedit .vip) (malware.rules)
  • 2050244 - ET MALWARE Khepri CnC Domain in DNS Lookup (finallshell .cc) (malware.rules)
  • 2050245 - ET MALWARE Khepri CnC Domain in DNS Lookup (finalshell .me) (malware.rules)
  • 2050246 - ET MALWARE Khepri CnC Domain in DNS Lookup (rdesktopconnect .com) (malware.rules)
  • 2050247 - ET MALWARE Khepri CnC Domain in DNS Lookup (xmindcn .cc) (malware.rules)
  • 2050248 - ET HUNTING Suspicious Request for bd.log (hunting.rules)
  • 2050249 - ET HUNTING Suspicious Request for fs.log (hunting.rules)
  • 2050279 - ET MALWARE [ANY.RUN] ZharkBOT HTTP CnC Checkin (malware.rules)
  • 2852666 - ETPRO POLICY Observed SSL Cert (anysrc .net) (policy.rules)
  • 2853036 - ETPRO PHISHING Security Awareness Campaign Domain in DNS Lookup (phishing.rules)
  • 2855905 - ETPRO MALWARE Win32/Apocalypse RAT CnC Checkin (checkcmd) (malware.rules)
  • 2855906 - ETPRO MALWARE Win32/Apocalypse RAT CnC Checkin (checkcmd) - Acknowledgement (malware.rules)